This narrative report is a follow-up to our fiscal year (FY) 2017 Federal Information Security Modernization Act (FISMA) submission to the Office of Management and Budget to provide findings and recommendations related to PBGC's information security program
We contracted with CliftonLarsonAllen LLP, an independent public accounting firm, to perform an evaluation of PBGC’s information security program as required by FISMA. Our independent public accountants found the maturity level of four of the five functional areas at Consistently Implemented (Level 3) and one functional area at Defined (Level 2). PBGC made progress in improving its information security and privacy program, closing 11 of 30 open recommendations from prior years. However, FY 2017 weaknesses were noted in risk management, vulnerability and configuration management, identity and access management, information security continuous monitoring, and contingency planning. This report presents 24 recommendation of which five are new. These recommendations are in addition to the FISMA-related recommendations made in the FY 2017 internal control report.